You may have noticed some domain names scrolling across our home page. This new feature, recently added to our website, is a time-delayed demonstration of what you will see on our Newly Observed Domains channel on the Security Information Exchange.
We first developed Newly Observed Domains back in 2014 because we observed that domain names used for malicious purposes tend to be registered, abused, and discarded very quickly, while legitimate domain names tend to have long lifespans. Attackers do this to evade detection by security products, changing domains faster than defenders can identify and block them. Newly Observed Domains is an observational dataset that can be used to temporarily block new domains while their intent is being established.
Newly Observed Domains is often deployed as a DNS Response Policy Zone for protecting workstations or Real-Time Blackhole List for blocking or delaying email. The former case protects users from phishing attacks, and workstations from Drive-by downloads by preventing DNS resolution of new domain names. The latter case allows the mail server to detect that a domain name in the SMTP conversation, message headers, or body is novel and apply a policy, such as rejecting the message with a permanent or temporary error code, or by sending the message to a queue for delayed processing. Temporary error codes are particularly effective because a legitimate SMTP server will retry later, whereas a spam bot will have been detected and blocked, should it even re-attempt delivery.
In the past, we would demonstrate NOD at in-person trade show events. Today, we are happy to bring a version of NOD to our website so you can see the tool for yourself. We hope that you enjoy the new widget on our home page. Please reach out to our sales team to discuss how Newly Observed Domains can help you solve problems.
Henry Stern is a Senior Solutions Architect for Farsight Security, Inc..
